Description
Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42)
peer key, the peer key is not properly checked for the subgroup membership.

Impact summary: A malicious peer which presents an X9.42 key carrying the
victim's p and g parameters, a forged q = r (a small prime factor of the
cofactor (p−1)/q_local), and a public value Y of order r can recover the
victim's private key after a small number of key exchange attempts.

When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the
subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's
own q parameter, not the local key's q. The peer's domain parameters are
then matched against the domain parameters of the private key, but the value
of q is not compared.

A malicious peer who presents an X9.42 key carrying the victim's p, g,
a forged q = r (a small prime factor of the cofactor), and a public
value Y of order r passes all checks. The shared secret then takes only
r distinct values, leaking priv mod r. Repeating for each small-prime
factor of the cofactor and combining via CRT recovers the full private
key (Lim–Lee / small-subgroup-confinement attack).

The realistic attack surface is narrow: principally CMP deployments with
long-lived RA/CA DHX keys and bespoke enterprise or government applications
using X9.42 DHX static keys with interactive protocols and therefore this
issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this
issue.
Published: 2026-06-09
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During the Diffie‑Hellman key exchange implemented in OpenSSL, a vulnerable implementation of EVP_PKEY_derive_set_peer() does not properly verify that the peer’s group parameters are consistent with the local key. An attacker can supply a synthetic X9.42 key that uses the victim’s p and g values but replaces the q parameter with a small prime that divides the co‑factor and supplies a public value Y of that small order. Because the subgroup membership test uses the peer’s own q instead of the local q, this malicious key passes all validity checks. The resulting shared secret has only a few possible values, allowing the attacker to recover the victim’s private DH key after a few exchanges. If the attacker repeats this process for each small subgroup, the full private key can be reconstructed using the Chinese remainder theorem.

Affected Systems

All OpenSSL FIPS modules up to and including 4.0, 3.6, 3.5, 3.4, and 3.0 are affected. Systems that deploy X9.42 DHX static keys – commonly found in certificate‑management protocols and some government or enterprise applications – are directly exposed.

Risk and Exploitability

No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, but the issue is specific to a narrow set of deployments that use static DHX keys with custom domain parameters. The exploit requires a malicious peer during the key exchange and the attacker must supply precisely crafted subgroup parameters. While the risk is low for general internet traffic, any environment that performs manual or automated X9.42 Diffie‑Hellman key agreement could be compromised. The CVSS score is 3.7, indicating a low‑severity risk, yet the potential outcome is total loss of confidentiality for the private key if the vulnerability is leveraged.

Generated by OpenCVE AI on June 9, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSSL to the latest patch level that implements the corrected subgroup validation logic (the referenced GitHub commits provide the fix). This also covers the FIPS modules where the defect existed.
  • Verify that any custom application libraries are rebuilt against the updated OpenSSL build and that EVP_PKEY_derive_set_peer() now uses the local q for subgroup checks.
  • Where possible, avoid using static X9.42 DHX keys; switch to dynamic key agreement or use standard groups (e.g., X9.62 or 2048‑bit MODP) that are known to be properly validated. In environments where static keys remain required, enable application‑level validation that rejects peer keys with mismatched q values.

Generated by OpenCVE AI on June 9, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6335-1 openssl security update
Ubuntu USN Ubuntu USN USN-8414-1 OpenSSL vulnerabilities
History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Openssl
Openssl openssl
Vendors & Products Openssl
Openssl openssl

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.
Title FFC-DH Peer Validation Uses Attacker-Supplied q
Weaknesses CWE-325
References

Subscriptions

Openssl Openssl
cve-icon MITRE

Status: PUBLISHED

Assigner: openssl

Published:

Updated: 2026-06-09T19:35:28.505Z

Reserved: 2026-04-29T09:22:27.969Z

Link: CVE-2026-42770

cve-icon Vulnrichment

Updated: 2026-06-09T19:34:36.935Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:08.523

Modified: 2026-06-09T21:17:17.960

Link: CVE-2026-42770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:15:15Z

Weaknesses